For the second time in a short while my files/ folder has been hacked. Permissions are set as 755 all accross the folder.
I tried to set it up as 750, 754 but it breaks the website.

What happens is that someone manages to upload files in the imagecache subfolders. The first time an html file was upload for phishing. The next time a imagecache genrated thumbnail was replaced by an other image.

1 Answer
1

From the information given, it is impossible to give a full answer. For instance: Are your site on a dedicated server, or on shared hosting? What user and group "owns" the files in your Drupal installation? What is the extension (like .php) of the unwanted files somebody places in the imagecache subfolders? (Please edit your question and expand it with this information, it will be a great help in order to give a more precise answer.)

However, the permissions you cite, and in particular the fact that 750 "breaks the website" indicate that you must have gotten something (probably the ownership to the files in your Drupal installation) wrong. 750means rwxr-x--- while 755 means rwxr-xr-x.

In a shared environment, the web server will either:

Run as the owner of the site (i.e. you). In this case your files/ folder (upload directory) should have 700 (rwx-----).

Run as a member of the www group. In this case your files/ folder (upload directory) should have 770 (rwxrwx--).

Not under any circumstance do you want the last triplet (permissions for others) to be anything else than zero.

However, unfortunately, wrong file permissions is probably not the only reason your files/ directory has been compromised. Both 755 and 750 only gives write permission to the owner of the files/ directory. You haven't told us who that owner is, but its either you or the web server user.

If it is you, then your shell account has been compromised, so look for Trojans with the excecute bit set (and change your shell account password). If it is the web server user, then you have a cross-scripting attack or a PHP-injection attack, and you need to find and fix that.